PayPal Races To Fix IPhone App Security Flaw
Internet-payment provider PayPal said it has rushed out an update to correct a security flaw in its iPhone application that could allow a hacker to intercept users' passwords.
The hole stems from the app's failure to confirm the authenticity of PayPal's website when communicating over the Internet —a basic lapse that the security researcher who found the flaw said would allow someone to access the accounts of unsuspecting users.
PayPal spokeswoman Amanda Pires said the eBay Inc. unit verified the vulnerability Tuesday night and sent a new version of the app to Apple Inc.'s App Store that users will have to download. PayPal also said it would reimburse 100% of any fraudulent activity.
"To my knowledge it has not affected anybody," Ms. Pires said. "We've never had an issue with our app until now."
A hacker would need skill and luck to make use of the vulnerability, which only affects users of the iPhone app connecting over unsecured Wi-Fi networks. It doesn't affect the company's Android app or users of the PayPal.com website.
The PayPal hole results from the app's failure to verify the digital certificate for the payment service's website. Such certificates function as electronic ID cards that let a user's device know a website is legitimate.
Without that confirmation, a hacker could electronically step between a user and PayPal, pretend to be the PayPal website and gather usernames and passwords. The hacker would need to be in the same physical location as the user or have gained access to the same Wi-Fi network.
In practice, that could mean setting up a Wi-Fi hotspot in a location, such as a train station, and waiting for someone to use the network for a PayPal transaction on their iPhone app. It would be a fishing expedition, but the equipment and software needed is commonly available.
The hole is embarrassing for an outfit selling secure services and a reminder that companies are having trouble getting a grip on security as they rush to exploit the capabilities of new, more powerful smartphones.
"This is a colossal oversight on PayPal," said Andrew Hoog, chief investigative officer of viaForensics, a Chicago computer and mobile security firm that found the flaw.
PayPal said its iPhone app has been downloaded more than four million times since it was released in April. In October, the company said it expects more than $700 million in mobile payments to go through its system by the end of this year.
Carriers, credit card companies and banks are pushing mobile payments in hopes of building new lines of business around smartphones.